Headline
CVE-2014-6195: IT04249: DP DOMINO PLUGIN CAN STILL BE USED BY THE BA JAVA GUI AND WEB GUI EVEN AFTER AUTHENTICATION FAILS WITH THE GUI
The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6.1 before 6.1.5.7 on z/OS; 6.1 and 6.2 before 6.2.5.2 on Windows, before 6.2.5.3 on AIX and Linux x86, and before 6.2.5.4 on Linux Z and Solaris; 6.3 before 6.3.2.1 on AIX, before 6.3.2.2 on Windows, and before 6.3.2.3 on Linux; 6.4 before 6.4.2.1; and 7.1 before 7.1.1 in IBM TSM for Mail, when the Data Protection for Lotus Domino component is used, allow local users to bypass authentication and restore a Domino database or transaction-log backup via unspecified vectors.
APAR status
- Closed as program error.
Error description
- When using the Tivoli Storage Manager for Mail: Data Protection for Domino plugin to the Tivoli Storage Manager Client’s Java GUI or Web GUI interfaces, use of those interfaces is possible even after a failed authentication attempt. Versions Affected: 5.4, 5.5, 6.1, 6.3, and 7.1
Local fix
- Configure web access, and access to the local machine, in such a manner that only trusted users are allowed to access the TSM Backup-Archive Client Java GUI and Web GUI interfaces.
Problem summary
- **************************************************************** * USERS AFFECTED: * * All Tivoli Storage Manager for Mail: Data Protection for * * Domino 5.4, 5.5, 6.3, 6.4, and 7.1 * **************************************************************** * PROBLEM DESCRIPTION: * * See error description and security bulletin tech note * * located here: * * http://www.ibm.com/support/docview.wss?uid=swg21695183 * ****************************************************************
Problem conclusion
- The Tivoli Storage Manager Client software has been updated to prohibit usage of the Java GUI or Web GUI interface to Data Protection for Domino after an authetication failure.
Temporary fix
- **************************************************************** * The complete list of interim fixes, by platform, is detailed * * in the security bulletin tech note located here: * * http://www.ibm.com/support/docview.wss?uid=swg21695183 * ****************************************************************
Comments
APAR Information
APAR number
IT04249
Reported component name
TDP FOR DOMINO
Reported component ID
5698DPDAP
Reported release
71W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-09-07
Closed date
2014-09-07
Last modified date
2015-02-12
- APAR is sysrouted FROM one or more of the following:
- APAR is sysrouted TO one or more of the following:
Modules/Macros
- PLUGIN
Fix information
Fixed component name
TDP FOR DOMINO
Fixed component ID
5698DPDAP
Applicable component levels
R71W PSY
UP
R71A PSY
UP
R71L PSY
UP
R63A PSY
UP
R63L PSY
UP
R63D PSY
UP
R63W PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71W","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]